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o : 

The existing unconditional security definitions of quantum key distribution (QKD) do not apply to joint 
\ attacks over QKD and the subsequent use of the resulting key. In this paper, we close this potential 

O |- security gap by using a universal composability theorem for the quantum setting. We first derive a 

composable security definition for QKD. We then prove that the usual security definition of QKD 
still implies the composable security definition. Thus, a key produced in any QKD protocol that is 
unconditionally secure in the usual definition can indeed be safely used, a property of QKD that is 
hitherto unproven. We propose two other useful sufficient conditions for composability. As a simple 
application of our result, we show that keys generated by repeated runs of QKD degrade slowly. 
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Quantum cryptography differs strikingly from its classical counterpart. On one hand, quantum effects are 
useful in the construction of many cryptographic schemes. On the other hand, dishonest parties can also 
| employ more powerful quantum strategies when attacking cryptographic schemes. 



The security of quantum key distribution 

One of the most important quantum cryptographic applications is quantum key distribution (QKD) [1, 2, 3]. 
The goal of key distribution (KD) is to allow two remote parties, Alice and Bob, to share a secret bit 
C^ 1 string. Classically, KD cannot be unconditionally secure (i.e. secure against all possible classical attacks) 
^ . (see Sec. 2). Furthermore, the security of existing KD schemes is based on assumptions in computation 
complexity or limitations of the memory space of the adversary, Eve. In contrast, QKD is based on 



an intrinsic property of quantum mechanics, "extracting information about an unknown quantum state 



inevitably disturbs it," [4] which allows eavesdropping activities to be detected in principle. Indeed, QKD 
can be unconditionally secure, i.e., against Eve whose capability is only limited by quantum mechanics 
[5, 6, 7, 8, 9, 10, 11]. Furthermore, QKD remains secure even if the quantum states are sent through a 
noisy quantum channel, as long as the observed error rates are below certain threshold values. 

In what sense is QKD secure? We will describe the assumptions and security definitions more formally in 
Sec. 2. In QKD, Alice and Bob are assumed to start with a small initial key Ki (for authentication purposes). 
They have access to uncorrelated randomness that is not controlled by Eve. They may exchange quantum 
and classical messages in both directions via channels that are completely under the control of Eve, and 
may perform local quantum operations and measurements. Based on their measurement outcomes, Alice 
and Bob either abort QKD or generate their respective keys K^K-q. Correspondingly, we say that the 
QKD test is failed or passed, and the events can be described as M=0 or M>0, where M is the length of 
the key generated. Eve also obtains quantum and classical data (her "view" or "transcript") from which 
she extracts classical data via a measurement. What happens during a specific run of QKD depends on 
Eve's strategy as well as the particular outcomes of the coins and quantum measurements of all the parties. 
However, the security of QKD can still be captured by requiring that (1) the conditional mutual information 
I(Ke :K\,Kb \M) is negligible and (2) for all eavesdropping strategies with nonnegligible Pr(M>0), K\, 
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K-q are near-uniform and Pr(/cA 7^ ^b) is negligible. Throughout the paper, we use capitalized letters K\, 
K^, Ke, and M to denote the random variables, and uncapitalized letters to denote specific outcomes. 

The security problem of using QKD 

Proofs of security of QKD (in the sense described above) address all attacks on the QKD scheme allowed 
by quantum mechanics. The problem is that QKD is not the only occasion for attack — further attack may 
occur when Alice and Bob use the keys generated. In particular, Eve may never have made a measurement 
during QKD to obtain any Ke- Eve's transcript is a quantum state. She could have delayed measurements 
until after more attack during the application, a strategy with power that has no classical counterpart. In 
other words, security statements in QKD that revolve around bounding I{Ke ■ K&, Kb \M) is not applicable 
if the key is to be used! 

The limitations of mutual-information-based security statements were known as a folklore for some time 
(for example, see Sec. 4.2 in [11]). One of the earliest known security problems in QKD is the following [12]: 
QKD requires a key for authentication, which may in turns come from a previous round of QKD. Since each 
run of QKD is slightly imperfect, repeated QKD produce less and less secure keys. A conclusive analysis 
on the degradation has been evasive, since joint attacks over all runs of QKD have to be considered. 

As it turns out, there are many other occasions in which joint attacks on QKD and the subsequent use 
of the generated key have to be considered. For example, suppose Alice and Bob perform QKD to obtain 
a key, and then use the key to encrypt quantum states [13, 14]. Eve eavesdrops during both QKD and 
encryption and performs a collective measurement on the two eavesdropped states. It is well-known that 
such a collective measurement may yield more accessible information than the sum of information obtained 
in two separate measurements [15]. 

Our current study is further motivated by the results in [16, 17], which show that there are ensembles 
of quantum states that provide little accessible information on their own, but can provide much more 
information when a little more classical data is available. The extra information can be arbitrarily large 
compared to both the initial information and the amount of extra classical data. Such strange property re- 
veals a new, unexpected, inadequacy of mutual-information-based statements. In particular, in the context 
of QKD, the usefulness of bounding the initial accessible information of Eve becomes very questionable, if 
Eve delays her measurement until further data is available during the application of the key — the security 
of the key is questionable even in classical applications! 

The goal of the current paper is to study the security of using a key generated by QKD, i.e., the compos- 
ability of QKD. 

The universal composability approach 

Composability is an active area of research that is concerned with the security of composing cryptographic 
primitives in a possibly complex manner. The simplest example is the security of using a cryptographic 
primitive as a subroutine in another application. Our paper will follow the universal composability ap- 
proach. For a specific task (functionality), a primitive that realizes the task is said to be universal com- 
posable if any application using the primitive is about as secure as using the ideal functionality. A security 
definition that ensures universal composability was recently proposed by Canetti [18], and was extended 
to the quantum setting by some of us [19, 20]. Such universal composable security definitions are useful 
because they are in terms of the ideal functionality only, without reference to the potential application. The 
security of a complex protocol can then be analyzed in terms of the security of each individual component 
in a systematic and error-proof manner. In the quantum setting, universal composability provides the only 
existing systematic technique for analyzing security in the presence of subtleties including entanglement 
and collective attacks. We will see in this paper that universal composability provides the precise frame- 
work for proving the security of using the keys generated from QKD, a problem that appears intractable 
at first sight. 
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We note that an alternative approach to achieve universal composability in the classical setting was obtained 
in [21], with a generalization to the quantum setting studied in [22]. 

Main Results 

We have pointed out a serious potential security problem in using the keys generated from QKD. We will 
address the problem in the rest of the paper. We derive a new security definition for QKD that is universal 
composable. The essence is that QKD and certain ideal KD should be indistinguishable from the point of 
view of potential adversaries. Then, we prove that the original mutual-information-based security definition 
implies the new composable definition. Other simple sufficient conditions for the composable security of 
QKD will be discussed. One of these conditions, high singlet-fidelity, has always been an intermediate 
step in the widely- used "entanglement-based" security proofs of QKD. We show that high singlet-fidelity 
is much more closely related to composable security than the usual security definition, and we obtain much 
better security bounds for known QKD schemes. We thus prove the security of using a key generated by 
QKD in various ways, and provide simple criteria for future schemes. As a corollary, we answer the long 
standing question concerning the extent of key-degradation in repeated use of QKD [12]. 

Our work also has non-cryptographic applications in the study of correlations in quantum systems. The 
various security conditions are tied to correlation measures in quantum systems. Each derivation for the 
composable security for QKD is based on relating a pair of correlation measures. 

Related work 

Since the current result was initially presented [23, 24], various related results were reported. The compos- 
able security of generic classes of QKD schemes were proved in [25, 26], following a different approach of 
showing the composable security of certain privacy amplification procedures against quantum adversaries 
[25]. These related works share the concerns raised in this paper, with results complementary to ours. 

Organization of the paper 

We end this section by introducing some basic elements in the quantum setting. We review QKD in 
Sec. 2, stating our definitions and assumptions more formally. In Sec. 3, we review the quantum universal 
composability theorem. We will restrict ourselves to the much simpler case concerning unconditional 
security. We start describing our main results in Sec. 4, which contains a derivation of a simple criteria for 
the universal composable security for QKD. In Sec. 5, we prove that the usual security definition for QKD 
implies the universal composable security. In addition, we demonstrate two other sufficient conditions for 
composable security. One is based on bounding the Holevo information of Eve on the key. The other is 
based on bounding the singlet-fidelity in security proofs using entanglement-purification. The latter implies 
much better security of existing QKD protocols than is generically implied by the usual security definition. 
We conclude with lessons learnt from the current results. Frequently used notations and some complicated 
information theoretic quantities are listed in the appendix. 

Basic elements of quantum mechanics 

A quantum system or register is associated with a Hilbert space H. We only consider finite dimensional 
Hilbert spaces. Let B(M) and U(H) denote, respectively, the set of bounded operators and the unitary 
group acting on H. We loosely refer to the system as H also. A composite quantum system is associated 
with the tensor product of the Hilbert spaces associated with the constituent systems. 

The state of EI is specified by a positive semidefinite density matrix p G B(M) of unit trace. A density matrix 
is a convex combination of rank-1 projectors (commonly called pure states) and represents a probabilistic 
mixture of pure states. Up to an overall-phase that is not physically observable, pure states can be 
represented as vectors in H. and |V ; )(V ; I denote the vector and rank-1 projector respectively. 

A measurement M on H is defined by a POVM, which is a decomposition of the identity into a set of 
positive semidefinite operators {Ok}, i.e., J2k Ok = I- If the state is initially p, the measurement M yields 
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outcome k with probability Tr(Okp) and changes the state to y/Okp^/Ok/Tr(Okp). M is said to be along 
a basis {|A;)} if {Ok} = {\k){k\}. Measuring an unknown state generally disturbs it. 

The most general evolution of the state is given by a trace-preserving completely-positive (TCP) linear 
map £ acting on B(M). Any such £ can be implemented by preparing a pure state in some ancillary system 
H', applying a joint unitary operator U £ U(H(g)H / ), and discarding W (i.e., a partial trace over H'). 

We mention two distance measures for quantum states. The first is the trace distance \\pi — P2W1 between 
the density matrices. It can be interpreted as the maximum probability of distinguishing between the 
two states. The second measure is the fidelity, F{Pi,P2) = max |t/>i),|V2} 

|(V>i|V>2>| 2 where p 1)2 G B(B), 

^1,2) £ H0H' are "purifications" of Pi 2 (he., Trjj'|V'i,2}(V'i,2| = Pi 2)) and (•[•) is the inner product in HI. 

We refer our readers to the excellent textbook by Nielsen and Chuang [27] for a more comprehensive review 
of the quantum model of information processing. 

2 Quantum Key Distribution 

The goal of key distribution (KD) is to allow two remote parties, Alice and Bob, to share a secret bitstring 
such that no third party, Eve, will have much information about the bitstring. KD is impossible unless Alice 
and Bob can identify one another and detect alterations of their communication. In other words, the task of 
message authentication is necessary for KD. There are unconditionally secure methods for authenticating a 
classical message with a much shorter key [28]. Thus, KD uses authentication as a subroutine, and achieves 
key expansion (producing a key using a much shorter initial key). 

Classically, unconditionally secure KD between two remote parties is impossible. Classical physics permits 
an eavesdropper to have exact duplicates of all communications in any KD procedure without being de- 
tected. In contrast, while quantum key distribution (QKD) cannot prevent eavesdropping, it can detect 
eavesdropping. This allows Alice and Bob to avoid generating compromised keys with high probability. 
The usefulness of QKD is to avoid Alice and Bob being fooled into having a false sense of security. It is 
worth emphasizing what QKD does not offer. First, QKD does not promise to always produce a key, since 
Eve can cause QKD to be aborted with high probability with intense eavesdropping. Second, there is a 
vanishing but non-zero chance that Eve is undetected, so that one cannot make simple security statements 
conditioned on not aborting QKD. 

How and why QKD works, through an example 

Various QKD schemes have been proposed and we only name a few here: BB84 [1], E91 [2], B92 [3], and 
the six-state scheme [29, 30]. We illustrate the general features and principles behind QKD by describing 
the class of prepare-&-measure schemes. Recall that Alice and Bob are given secure local coin tosses. 
Step 1: Alice first generates a random bitstring, encodes it in some quantum state Pa, and sends Pa to 
Bob through an insecure quantum channel controlled by Eve. During this time, Eve can manipulate the 
message (system A) in any way allowed by quantum mechanics. Eventually, she will have to give some 
quantum message Pb to Bob for QKD to proceed. Mathematically, Eve's most general operation can be 
described as attaching a private system E in the state |0)(0|e, applying a joint unitary operation U to 
produce a joint state p = U (Pa®|0)(0|e) U' , and passing system A to Bob (relabeled as system B). Thus, 
Bob and Eve share the joint state p, and Pb := TrgP, Pe '■= T^bP are their respective reduced density 
matrices. Meanwhile, Bob measures Pb (according to his coin tosses). Step 2: Bob acknowledges to Alice 
receipt of the quantum message. Step 3: Only after Alice hears from Bob will further classical discussion 
be conducted over a public but authenticated channel. Step 4: At the end, based on their measurement 
outcomes and discussions, Alice and Bob either abort QKD (m = 0), or generate keys Ka and Kb {m > 0), 
and they announce m. Eve will have access to all the classical communication between Alice and Bob, 
besides the state Pe- She can measure Pe at any time to obtain a classical string Ke, though it is to her 
advantage to wait until after she receive the classical communication. See Figure 1 for a schematic diagram 
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for the class of prepare-&-measure QKD schemes. 
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Figure 1: Schematic diagram for the class of prepare-&-measure QKD schemes. The classical messages, represented 
by double lines, are available to Eve. Eve can make her measurement any time after step 1. Dashed boxes represent 
private laboratory spaces. Outcomes of Alice and Bob's local coins are represented by r\, tq. 

The principle behind QKD is that, in quantum mechanics, one can only reversibly extract information 
from an unknown quantum state if the state is drawn from an orthogonal set [4]. Thus in the prepare-&- 
measure scheme described above, if Alice encodes her message using a random basis chosen from several 
nonorthogonal possibilities, and Eve is to obtain any information on the outcomes of Ka, Kb, then Pb ^ Pa- 
To detect the disparity, Bob measures some of the received qubits (the "test-qubits" chosen randomly to 
avoid Eve tailoring her attack) and discusses with Alice to check if his measurement outcomes are consistent 
with what Alice has sent. This intuition can be turned into a provably secure procedure. Alice and Bob 
estimate various error rates on the test-qubits. If the observed error rates are below certain threshold 
values, it is unlikely that the untested qubits have much higher error rates. Error reconciliation and 
privacy amplification are applied to extract bitstrings k\ and ks for Alice and Bob respectively. If the 
observed error rates are above the thresholds, Alice and Bob abort QKD. QKD remains secure whether 
the observed noise is due to natural channel noise or due to eavesdropping. 

General features of any QKD scheme 

There are other QKD schemes besides prepare-&-measure schemes, for example, the entanglement-based 
QKD schemes (see [2, 7, 31]). Unless otherwise stated, our discussion applies to all QKD schemes. The basic 
ingredients are still secure local coins, completely insecure quantum communication, and authenticated 
public classical communication between Alice and Bob. In the most general QKD scheme, the ingredients 
may be used in any possible way. Alice and Bob still obtain some bitstrings as the output keys, kA and 
fee, of certain length m. Eve's view is still given by some quantum and classical data, denoted collectively 
by Pe : k\,k-Bi with explicit dependence on kA, &b- (Her view is a draw from an ensemble.) 

We emphasize a limitation in QKD. It is possible for Eve to be "lucky," for example, to have attacked 
only the untested qubits, or to have attacked every qubit without causing inconsistency in Alice and Bob's 
measurements. Thus, it is unlikely, but still possible, for Eve to have a lot of information on the generated 
key without being detected. No QKD protocol can make the promise "conditioned on passing the test, the 
keys Ka, Kb will be so-and-so." With the above limitation of QKD in mind, there are several approaches 
to a proper security statement. The approach that is most commonly used in existing security proofs is to 
bound the probability that Alice and Bob generate bitstrings that are not equal, uniform, or private. We 
will use a more compact statement in the following. 

Let n be a security parameter in QKD (for example, the number of qubits transmitted from Alice to Bob). 
Fix an arbitrary eavesdropping strategy. The attack induces a distribution Pr(M=m) on the key length 
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M. The average value of M is typically a small fraction of n. The outcome m in a particular run of QKD 
depends on the outcome of the coins and measurements by Alice and Bob. We can assume that m is made 
public at the end of QKD. Recall m > if the QKD test is passed and m = if QKD is aborted. 

Let denote the distribution of K A ,K B generated in QKD conditioned on \K A \ = \K B \ = m, i.e., 

P { ^l(k A ,k B ) = Pi(K A = k A ,K B = k B \M = m) . (1) 

Let p[fe al be the following distribution over two m-bit strings, 

USria(M') = if J* P. 

Let V denote the set of exponentially decaying functions of n. With these notations, a simple statement 
for the security condition can be made. 

Usual security definition for QKD: 

A QKD scheme is said to be secure if the following properties hold for all eavesdropping strategies. 

• Equality- and-uniformity: G V s.t. 

E^Mll^li-pSlk < m (3) 

m=0 

• Privacy: 3^2 £ V s.t. 

^Pr(m) x/(^ E :^ A ^B|M = m) < M2 (4) 

m=0 



where I above denotes the mutual information [32] between Ke and K A , K B conditioned on M = m. Using 
the equality condition, we only need to focus on k A =■ k in Eq. (4). In particular, 

• Privacy: 3/4 G V s.t. 

x " Pr(m) x I(K E :K\M = m) < n' 2 (5) 



m=0 



The above security conditions revolve around expressions that can be interpreted as deviations from the 
desired properties, averaged over m. The product in each summand precisely capture the security require- 
ment that large deviations from the desired properties should be a low probability event. Note that the 
m = terms do not contribute, as || p[^ al — ||i = and I(Ke ■ K A , K B \ M = ) = 0. 



3 Quantum Universal Composability Theorem 

Cryptographic protocols often consist of a number of simpler components. A single primitive is rarely used 
alone. A strong security definition for the primitive should thus reflect the security of using it within a 
larger application. This allows the security of a complex protocol to be based only on the security of the 
components and how they are put together, but not in terms of the details of the implementation. 

A useful approach is to consider the universal composability of cryptographic primitives [18, 19, 20]. The 
first ingredient is to ensure the security of a basic composition. We need a security definition stated for 
a single execution of the primitive that still guarantees security of composition with other systems. This 
definition involves a description of some ideal functionality of the primitive (i.e. the ideal task the primitive 
should achieve). More concretely, we want a security definition such that, if a is a secure realization of an 
ideal subroutine aj, and a protocol V using <n, written as V+aj, is a secure realization of V\ (the ideal 
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functionality of V), V+a is also a secure realization of V\. Throughout the paper, we denote the associated 
ideal functionality of a protocol by adding a subscript I, and we denote a protocol V calling a subprotocol 
a as V+a (this last expression stretches the meaning of V a little bit to refer to the module of V calling a). 
The second ingredient is a universal composability theorem stating how a complex protocol can be built 
out of secure components. It is simply a recipe on how to securely perform basic composition recursively. 

The simplifications in analyzing the composable security of QKD 

Our goal is to analyze the unconditional security of QKD by using the quantum universal composability 
results in [19, 20]. The setting for QKD is simpler than that considered in [19, 20] in two important aspects. 
First, we are only concerned with unconditional security. Second, in QKD, Alice and Bob are known to 
be honest, and Eve is known to be adversarial, and there is no unprcdicted corruption of any party. The 
formal corruption rules are not used in our derivation of a composable security definition for QKD. The 
following simplified model is sufficient for our derivation of a universal composable security definition for 
QKD. 

The simplified model 

We first describe the model for quantum protocols and other concepts involved in the quantum composable 
security definition. We base our discussion on the (acyclic) quantum circuit model (see, for example, 
[33, 34]), with an important extension [20] (see also the endnotes [35]). Throughout the paper, we only 
consider circuits in the extended model. 

1. Structure of a protocol A (cryptographic) protocol V can be viewed as a quantum circuit in the extended 
model [20, 35], consisting of inputs, outputs, a set of registers, and some partially ordered operations. A 
protocol may consist of a number of subprotocols and parties. Each subprotocol consists of smaller units 
called "unit-roles," within each the operations are considered "local." For example, the operations and 
registers of each party in each subprotocol form a unit-role. Communications between unit-roles within a 
subprotocol represent internal communications; those between unit-roles in different subprotocols represent 
input /output of data to the subprotocols. A channel is modeled by an ordered pair of operations by the 
sender and receiver on a shared register. The channel available to perform each communication determines 
its security features. 

2. The game: security in terms of indistinguishability from the ideal functionality Let V\ denote the ideal 
functionality of V . Intuitively, V is secure (in a sense defined by V\) if V and V\ behave similarly under 
any adversarial attack. "Similarity" between V and V\ is modeled by a game between an environment 
£ and a simulator S. These are sets of registers and operations to be defined, and they are sometimes 
personified in our discussion. In general, V and V\ have very different internal structures and are very 
distinguishable, and the simulator S is added to V\ to make an extended ideal protocol V\+S that is less 
distinguishable from V . £ consists of the adversaries that act against V and an application protocol that 
calls V as a subprotocol. At the beginning of the game, V or V\+S are picked at random. £ will call and 
act against the chosen protocol, and will output a bit V at the end of the game. The similarity between V 
and V\+S (or the lack of it) is captured in the statistical difference in the output bit T. 

3. Valid £: The application and adversarial strategy of£ are first chosen (the same whether it is interacting 
with V or Vi+S). £ has to obey quantum mechanics, but is otherwise unlimited in computation power. If V 
is chosen in the game, £ can (i) control the input/output of V, (n) attack insecure internal communication 
as allowed by the channel type, (in) direct the adversarial parties to interact with the honest parties in V. 
£+V has to be an acyclic circuit in the extended model [20, 35]. 

4- Valid V\ and S: If V\ +S is chosen in the game, £ (i) controls the input /output of "Pi as before. However, 
the interaction given by (n) and (in) above will now occur between £ and S instead. (S is impersonating or 
simulating V.) The strategy of S can depend on the strategy of £. V\ should have the same input/output 
structure as V, but is otherwise arbitrary. (Of course, the security definition is only useful if V\ carries 
the security features we want to prove for V.) In particular, V\ may be defined with internal channels and 
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adversaries different from those of V . S can (n') attack insecure internal communication of V\ and (in') 
direct the adversarial parties to interact with the honest parties in V\. Thus, V\ exchanges information 
with S, and this can modified the security features of "Pi. To £, S acts like part of V\, "padding" it to look 
like V, while to Vi, S acts like part of £. It is amusing to think of S as making a "man-in-the-middle" 
attack between £ and V\. Finally, £-\-Vi+S has to be an acyclic circuit in the extended circuit model 
[20, 35]. See Figure 2 for a summary of the game and the rules. 



iijii 



V 



ii, in 



s 



Figure 2: The game defining the composable security definition. The curved region in £ represents the 
adversaries against V, and the curved region in S represents the adversaries against V\. We label the types 
of interactions as described in the text. 



With a slight abuse of language, the symbols V and Vi+S are also used to denote the respective events 
of their being chosen at the beginning of the game. We can now state the universal composable security 
definition. 

Definition 1: V is said to e-securely realizes V\ (shorthand V e-s.r. Vi) if 

V£ 3S s.t. I Pr(r=0|P) - Pr(r=0|Pi+5) I < e . (6) 



We call e in Eq. (6) the distinguishability- advantage between V and V\. This security definition (in the 
model described) is useful because security of basic composition follows "by definition" [19, 20]. We have 
the following simple version of a universal composability theorem. 

Theorem 1: Suppose a protocol V calls a subroutine a. If a e CT -s.r. o\ and V+<J\ ep-s.r. Vi, then V+a 
e-s.r. V\ for e < ep+e a . 

Theorem 1 can be generalized to any arbitrary protocol with a proper modular structure. An example of 
an improper modular structure is one with a security deadlock, in which the securities of two components 
are interdependent. 

Proper modular structures can be characterized as follows. Let V+a\+a2-\ be any arbitrary protocol 

using a number of subprotocols. This can be represented by a 1-level tree, with V being the parent 
and ci 2,— the children. Each of 01,2, - may use other subprotocols, and the corresponding node will be 
replaced by an appropriate 1-level subtree. This is done recursively, until the highest-level subprotocols 
(the leaves) call no other subprotocols. These are the primitives. It was proved in [20] that more general 
modular structures, represented by an acyclic directed graph, can be transformed to a tree. The following 
composability theorem relates the security of a protocol V to the security of all the components in the tree. 

Theorem 2: Let V be a protocol and T-p the associated tree. Let M be the protocol corresponding to 
any node in T-p with subprotocols Mi- Suppose V.M, M.+M11+M21, • •• , e^j-s.r. Mi. If J2m e - M — e ' then 
V e-s.r. V 1 , where the sum is over all nodes in T-p. 

Theorem 2 is obtained by recursive use of theorem 1 and the triangle inequality. The idea is to replace 
subprotocols one-by-one by their ideal functionalities at the highest level, and proceed recursively to lower 
levels toward the root. The distinguishability-advantage between V and Vi is upper bounded by the 
sum of all the individual distinguishability-advantages between pairs of protocols before and after each 
replacement. See Figure 4 for an example of T-p that describes repeated QKD. 
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Note that the composable security definition for QKD derived in the simplified setting will remain applicable 
in the general setting considered in [19, 20]. However, when applying Theorem 2 to analyze the security 
of an application using QKD, one should use a setting appropriate for that particular application. 

In the next section, we analyze QKD in the composability framework. This is part of our main result, and 
an example to illustrate the composability framework. 



4 Universal composable security definition of QKD 



We first describe a general QKD scheme in the composability framework. Then, we tailor an ideal func- 
tionality for KD that resembles QKD. Finally, we express the universal composable security definition of 
QKD as a simple distinguishability criteria. 



4.1 QKD in the game defining security 



Our discussion relies on the existence of authentication schemes that are universal composable in the 
quantum setting. Furthermore, the authentication scheme should use a key much shorter than the message 
to be authentication (so that QKD indeed expands a key). For example, the scheme in [28] satisfies such 
conditions (composability is proved in [36] ) . Let a denote any such authentication scheme and let a\ denote 
ideal authentication. Let K+a denote QKD using authentication scheme a and let n\ denote an ideal KD 
protocol to be defined. By theorem 1, we can focus on the security of K+ctj, i.e., QKD using perfectly 
authenticated classical channels. The initial key requirement is embedded in the subroutine a\. In this 
case, QKD has no input. It outputs some bitstrings k&, k-g of certain length m to Alice and Bob, with 
m = if and only if QKD is aborted. (We can assume that m is publicly announced, and consider m as 
an output of QKD.) Eve's view (including both quantum and classical data) is given by the state pE,k A ,k B - 

We now turn to the game defining the composable security definition of QKD. Eve is an adversary that is 
part of the environment £. Following the discussion in Sec. 3, £ will fix an arbitrary strategy. Since there 
is no input to QKD, the optimal application in £ is simply to receive the output keys from n+a\ or k\. £ 
will also consist of the action of Eve and other circuits that compute T. A schematic diagram is given in 
Figure 3. 



m 
k A ks 



[ Ajjg 



K+Ctl 




® 




Figure 3: The game defining the composable security definition of QKD, with our choice of ideal KD and 
simulator. An ordering of the interactions is given in circles. We also label the types of interactions (see 
rules 3 and 4 in Sec. 3) explicitly. Upon an input m, the checkered box generates a perfect key of length 
m to Alice and Bob. 



If £ is interacting with n+ai, £ will: (i) receive the output bitstrings &b, and m = \k\ \ = \ ks\, and (in) 
obtain PE,k A ,k B which depends on Eve's strategy and k^, k-Q. Altogether, £ will be in possession of the state 



Pqkd = ^2 Pr ( fc A,fc B ) I^A^bX^A^bI ® pE,k A ,k E 
k A ,k B 



(7) 
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in which PE,k A ,k B an< ^ ^Aj^b can be correlated. We have omitted an explicit register for m, because the 
information is redundant given &a> &b- See Figure 3 for a schematic diagram for QKD, and how it interacts 
with the environment. 

4.2 Ideal KD and the simulator 

We now define the ideal functionality for QKD. In general, when formulating an ideal functionality, one 
need not be concerned with how the functionality is realized. What is important is to impose the essential 
security features while mimicking the analyzed protocol from the point of view of £. 

Our ideal KD functionality m has to model both the possibility to generate a perfect key, and the possibility 
for Eve to cause QKD to be aborted. Besides Alice and Bob, k\ has a box that accepts a value m from 
an adversary "Devil" and outputs a perfect m-bit key K to Alice and Bob (m = means abort). When 
K\ is run, Devil sends m to the box, which sends K to Alice and Bob. This formulation of n\ satisfies the 
security conditions Eqs. (3) and (5) perfectly (fJ-i,^ = 0). See Figure 3 for a schematic diagram. 

Consider the following simulator S. S runs a "fake QKD" with fake Alice' and Bob'. They interact 
with Eve (in £) and run verification procedure as in QKD. A value m is announced for the fake QKD, 
but the fake output keys are unused and kept secret in S. The Devil in S then sends m to the box in 
ki, which generates a perfect m-bit key string k to Alice and Bob in m, who forward their outputs to £. Let 

P m = Yj Pr(k A ,k B \M=m) P E ,fc A ,fc B • (8) 

kA,kB-\k A \ = \k B \=m 

Then, at the end of the game, £ will be in possession of the state 

Adcal = J>r(M=|A;|) 2-' fc l \k,k){k,k\ ® ~P\k\ ■ (9) 
k 

See Figure 3 for a schematic diagram for how kj + S interacts with £. 

4.3 Universal composable security definition and simple privacy condition 

Recall that at the beginning of the game, one of k and kj+S is chosen at random to interact with £ . The 
distinguishability-advantage is upper bounded by the trace distance of the two possible final states of £ 
right before T is computed, 

| Pr(r=0 I K) - Pr(r=0 I Kl+S) I < \ || P qkd - ftdeal \ x (10) 

< \ || Pqkd - Pqil + \ || Pqil ~ Pqi2 1^ + \ || Pqi2 ~ Pidcal || x , (H) 

where /9 qil and /9 qi2 are hybrid, intermediate, states between p qkd and /Cjdeai defined as 

P qil = J>r(M=|fc|)2^l|M><M ®PE,k,k, (12) 
k 

P qi2 = ^Pr(M=|fe|) 2-l fc l \k,k)(k,k\ <g>P| fc |, with (13) 
k 

= ^ ^ f>E,k,k- ( 14 ) 
k:\k\=m 

The sum of the first and the last terms in Eq. (11) can be bounded by [i\ in the equality-and-uniformity 
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condition (Eq. (3) in Sec. 2) as follows. Using Eqs. (7) and (12), 



Pr(kA,kB)\kA,k B )(kA,kB\®PE,k A ,k B + ^ [Pr(fc,fc)-Pr(|fc|)2 |fc| \k,k){k,k\ <8> P E ,k,k 



< 



Mi 



Pqkd — Pqil || j 

Using Eqs. (9) and (13), 

|| Pqi2 - Pidcal ||i < Pr ( M=m ) || Pm-PmWi < Pi 

m 

where we have used p m = £fc A ,jfc B p£i(^a, k B ) PE,k A fo, Pm = J2k A ,k B P q kd( fc A, k B ) PE,k A ,k^ and the 
equality-and-uniformity condition Eq. (3) for the last inequality. The remaining term in the compos- 
able security condition Eq. (11) is given by 



1 



2 || ^qil ~ Pqi2 Hi 



^Pr(M=|fc|) 2~l fc l \k,k)(k,k\ [p\ k \-PE,k,k] 



< ^Pr(M=|fc|)2-l fe l ||p| fc |-PE,Mlli 



(15) 



which can be interpreted as a new privacy condition. 

We have thus compartmentalized the composable security definition for QKD, Eq. (10) or Eq. (11), into 
two parts: the original equality-and-uniformity condition Eq. (3) and a new privacy condition Eq. (15), 
which we loosely call a "composable privacy condition" for QKD. Once Eq. (15) is bounded by some /j^, 
QKD using ideal authentication n+a\ e K -securely realizes the ideal KD m, if pi + \x\ < e K . Following 
Theorems 1 and 2, one can use the key "as if it were perfect." Proving such a bound on Eq. (15) is 
relatively straightforward, as compared to a direct proof of the security of using a slightly imperfect key 
from QKD (without the composability theorem). 

In the following section, we prove several bounds for Eq. (15). First, we show that for any QKD scheme 
satisfying the usual privacy condition Eq. (5), Eq. (15) can be bounded as well, albeit with a potentially 
large but manageable degradation. Second, we prove a tighter bound on Eq. (15) assuming a privacy 
condition in terms of Eve's Holevo information on the key. Finally, we propose a new, tight, sufficient 
condition for bounding Eq. (10) (the full composable security condition) (bypassing Eq. (5) and automati- 
cally incorporating all of equality, uniformity, and privacy) based on the singlet-fidelity considered in most 
existing security proofs for QKD. As an application, we obtain sharp upper bounds for Eq. (10) for existing 
QKD schemes. 

5 Universal composability of QKD 

5.1 Usual privacy condition implies composable privacy condition 



Bound 1: We first mention a loose upper bound for \\p q n — P q i2||i- It is upper bounded by: 



J]Pr(M= 



■m) 



2- m \k,k)(k,k\®[p\k\-PE,k,k 

k:\k\=m 



and according to Lemma 1 of [16], each trace distance is upper-bounded by (2 m +l) 2 -y/2(ln 2) T{K^\K\m) 
(we use the shorthand m for M = m in the mutual information). Thus 
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||pqii-Pqi2|| 1 < ^Pr(M=m)(2 m +l)V2(ln2)/(E: E :K|m) 

m 

< (2 max ( m )+l) 2 72(hr2) Y^^( M =™)Vl(K E :K\m) 

i 

< (2 max ( m ) + l) 2 72(M2) [^Pr(M=m)/(^ E :^|m) 2 

m 

< (2 max ( m )+l) 2 72(M2) yfjH 

where the second last line is obtained by the Cauchy-Schwarz inequality. Typically, max(m) is a small 
fraction of n, the security parameter such as the number of qubits communicated. Recall that fj,2 £ V, 
the set of exponentially decaying functions of n. With a limit on the key rate m/n (based on how fast ^2 
vanishes), e K G V also. We now derive a slightly better bound. 

Bound 2: The second bound of Eq. (15) requires two lemmas. The Shannon distinguishability [37] of two 
quantum states £0 and g\, SD(go, Qi), is defined as the accessible information on C obtained by measuring 
a specimen of gc, where C is a coin toss (see [37]). 

Lemma 1: Let / acc be the accessible information of an ensemble {q x , Q x }i=i of finite dimensional states 
(i.e. I acc is the maximum information obtained on X by measuring a single specimen of Qx, where 
Pi(X = x) = q x ). Let Q = J2x QxQx- Then, Vx, q x SB(g x , g) < I acc . 

Proof of Lemma 1: Define random variables C,X\,X2 and Y as: 

1. C is a coin toss. 

2. X\ = x with probability q x , 

3. If C = 0, X2 = x, else X2 = x' with probability q x >. 

4. Y is the outcome of measuring Qx 2 ■ 

These random variables are defined so that for each x, I(Y : C\X\ = x) is the information gained on whether 
a randomly drawn state is g x or g by measuring the state. Also, Pr(A^ = x) = q x and gx 2 is simply a draw 
from the initial ensemble. 

Note that Y depends on the measurement. For the measurement attaining SD(^, g), 

I(Y:C\X 1 ) = J2<llI(Y:C\X 1 =l)>q x SD(g x ,g), (16) 

whereas for any measurement, 

KY-.C^) = I(Y:X 1 C)-I(Y:X 1 ) 

< I(Y:X 1 C)<I(Y:X 2 )<I acc (17) 



where the three inequalities are respectively due to the Chain rule, the fact X±C — > X2 — > Y is a Markov 
chain, and the optimality of 7 acc . □ 

We also use the following relation between the trace distance and the Shannon distinguishability, readily 
obtained from Eq. (47) and Fig. 1 of [37]. 

Lemma 2: Vp ,Pi, ||£>o - Qi\\i < 2y/SD(oo, g{). 

Proof of bound 2: For each key length m, define T m to be the ensemble {2~ m , PE,k,k}\k\=m- Lemmas 
1 and 2 imply 

M_ 11 / 

\\P\k\ ~ Pe.mIIi < 2 2 +1 ^I{Kv-K\m) 
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and we can bound Eq. (15) using the above, the Cauchy-Schwarz inequality, and the usual privacy condi- 
tion Eq. (5): 

||Pqil -Pqi2 ||i < 5^Pr(M=|fc|) 2-! fe l ||p| fc | -p E ,fc,fc||i 

k 

< Pr(M=m) 2T +1 y/l(K E : K\ m) 

m 

1 

< 2 max ( m )/ 2+1 Pr(M=m) /(K E : K\ m)] 2 

m 

< 2 max(m)/2+l^^ 

Once again, the key length is a fraction of n, and if appropriate limits on the key rate are imposed 
(depending on ^2), the above still vanishes exponentially with n. 



5.2 Small Holevo information implies composable privacy 

Suppose, instead of the usual privacy condition Eq. (5) in terms of the accessible information, we have 
• Privacy: 3/i' 2 S V s.t. 

^Pr(M=m) x X (Fm) < /4 (18) 

m 

where x is the Holevo information [38], and T m = {2~ m , PE,k,k}\k\=m is as defined before. Eq. (18) is more 
stringent than Eq. (5) since the Holevo information is an upper bound for the accessible information. It 
was proved in [39] that the Holevo information for an ensemble is the average of the relative entropies 
of the states in the ensemble to the average state. Applying this fact to T m , 



X{Fm) ^ S{p E ,k,k [I p rn ) . 



k:\k\=m 

Furthermore, the relative entropy is related to the trace distance [40] , 

PE,k,k Pm || 1 rmj ■ 

Thus Eq. (15) can be bound as 

Kii-PqttHi < J]Pr(M=|fc|) 2~l fe l ||p| fc | -p E ,k,k\\i 
k 

< [^Pr(M=|fc|)2-l fe l ||P| fc |-p E , fc , fc || 2 

k 

< [2 (In 2) £Pr(M=|fc|) 2"l*l S{p w \\P\k\) 

k 

1 

2 (In 2) ^ Pr(M=m) X (Fr N ' 



(19) 



< \ 2{\n2)ix' 2 
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which does not have an overhead exponential in the length of the key generated. 



5.3 A new sufficient condition for composable security 



We can easily analyze the composable security of any QKD scheme that has a security proof based on entan- 
glement purification protocol. All existing QKD schemes have such security proofs. The final keys K\, K-q 
are outcomes of Alice and Bob's measurements on a shared state p™ B for some m, and p™ B is supposed to 
be <3?® m in the absence of eavesdropping. Here, m is again the key length and $ = ±(|00) + |11))((00| + (11|). 
The usual privacy condition Eq. (5) is obtained by showing the following. 

• High fidelity: 3/4' € V s.t. 

X Pr(m) [ 1 - F(p% B , <S>® m ) ] < v>> (20) 

m 

(See Sec. 1 for the definition of F.) The above turns out to provide a sharp bound on Eq. (15), as shown 
below. 

Let Pabe be the state held by Alice, Bob, and Eve right before the final measurements of Alice and Bob. 
We only need to consider m > 0. Let \ip™) be a purification of P™ BE on systems A, B, E and X. \ipi l ) is 
also a purification of p™ B . By Ulhmann's Theorem [41], there exists a purification {ip™) over systems A, 
B, E and X such that 



By construction of lip™} and IV'™}, measuring A and B and tracing X results in p^ d and P^ eal respectively. 
But measuring and tracing can only increase the fidelity of two states. Thus 

^kd^Seal) > Fiffo,**™). 

Finally, we use the fact 

IKkd - PSeallk < 2^1-F(p- d ,p Seal ) 

to obtain 



Pideal||i<4[l-F(^ B ^ 



Putting all these together, we can bound Eq. (10) as 

1 

2 



Pqkd - Pidcal Id < \ X Pr ( M= 



■m) 



\Pqkd 



n m 
Fidcal 



<- \[T. 



Pr(M=m)||p™ kd -pS eal | 



< 



(21) 



Eq. (20) is a good new sufficient condition for composable security, being part of the standard QKD proof 
and a tight bound on Eq. (10) simultaneously. It also implies both equality-and- uniformity and privacy 
(unlike a bound on Holevo information or mutual information which only implies the composable privacy 
condition). 
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6 Discussions and applications 



We have motivated this work with a discussion of the potential gap between the desired security of using 
a key generated by QKD and the security promised by the privacy condition Eq. (5) used in the study of 
"unconditional security" of QKD. Then, we apply the universal composability theorem to obtain a new 
security condition that will guarantee the security of using a key generated from QKD. We propose a new 
privacy condition Eq. (15) that is composable, and useful sufficient conditions such as Eq. (18) or Eq. (20). 
Most interesting of all, we show that a bound on the singlet-fidelity Eq. (20) directly implies the composable 
security condition Eq. (10). These are our main contributions (in the context of cryptography). 

We also provide a proof that the existing privacy condition Eq. (5) does imply Eq. (15), albeit with a 
degradation factor in the security exponential in the key size. This ensures the security of using a key 
generated from any QKD scheme that has been proved secure, provided the key rate is limited accordingly. 
Despite the existence of such connections, we emphasize that future research should address Eq. (10), 
Eq. (15), Eq. (18), or Eq. (20) directly. We also provide a sharp bound on Eq. (15) based on Holevo's 
information Eq. (18) or singlet-fidelity Eq. (20). We are glad to find that the existing security proofs for 
QKD imply sharp bounds on Eq. (10), when bypassing the usual privacy condition Eq. (5). Outside the 
context of cryptography, these connections between various privacy conditions can be useful for the study 
of correlations in quantum systems. 

It is open whether the degradation of the security (that is exponential in the generated key size) when 
going from Eq. (5) to Eq. (15) is necessary. However, it is a tempting conjecture, as suggested by the 
pathologies of the accessible information exhibited recently [16, 17]. 

As a final application, we analyze the security of repeating QKD t times, without assuming the availability 
of an authenticated classical channel. (Note that t is a fixed parameter that does not grow with the problem 
size.) Each run of QKD k calls a composable authentication scheme a as a subroutine, and each run of 
a requires a composably secure key, which is provided by the previous round of k (as a subroutine to a). 
Call the t rounds of QKD our protocol V. The associated tree for V, and the ideal realization V\ are given 
in the far left and right of Figure 4. 

T> e a e K ,_, e a ,_, e K ,_, e K V Y 
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Figure 4: Associated tree for t rounds of k in the left, kq represents some initially shared key. The 
arrows point from parents to children. Each tree to the right is obtained by replacing one node by its ideal 
functionality. The distinguishability-advantage of each pair of consecutive schemes is marked between their 
trees near the roots. Authentication is omitted in the ideal functionality V\. 



If K+a\ e K -s.r. K\ (as in Eq. (10)) and if a+K\ e a -s.r. ai, V t(e K +e Q )-s.r. V\. In other words, each additional 
around of QKD degrades the security parameter by an additive constant (e K + e a ). The same result can 
be obtained by using Theorem 2, or conversely, this simple exercise illustrates the idea behind Theorem 2. 
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A Notations 

We gather most of the notations used in the paper, roughly in the order of first appearance: 

• KD: key distribution 

• QKD: quantum key distribution 

• Alice and Bob: two honest parties trying to establish a common key 

• Eve: an active adversary 

• A, B, E: subscripts labelling objects related to Alice, Bob, and Eve respectively 
A, B, E: labels of their respective quantum systems 

• Capitalized letters denote random variables and the corresponding uncapitalized letters denote par- 
ticular outcomes 

• K\, &a, Kb, &b: output keys for Alice and Bob 

• K, k: k := k\ when k\ = &b 

• M, m: publicly announced key length at the end of QKD. M = iff QKD is aborted. 

• Ke, kE- classical data possibly extracted by Eve at the end of QKD by measuring her quantum state 

• Pr(-): probability of the event "•" 

• log: logarithm in base 2 

• H(X), I(X : Y), I(X : Y\Z), and I(X : Y\Z=z) for random variables X, Y, Z: 
H(X) := — Pr(x) logPr(:c) is the entropy of X 

I(X : Y) := H(X) + H(Y) - H(XY) is the mutual information between X and Y 
I(X : Y\Z=z) is the mutual information between X and Y conditioned on Z = z 
I(X : Y\Z) := ^ z Pr(z)/(A : Y\Z=z) is the conditional mutual information 

• p: generic symbol for a density matrix 

• |-), |-)(-|: |-) denotes a vector in a Hilbert space, with label |-)(-| denotes the "outer-product" of 
|-) and (-| or the projector onto the subspace spanned by |-). 

• Tr(-): the trace 
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• Tre 1 (-): the partial trace over the system Hi. Let P12 be the density matrix for a joint state on Hi 
and H 2 . Tth 1 (/9 12 ) is the state after Hi is discarded. 

• || • || i: the trace distance, which can be taken as the sum of the singular values 

• F: the fidelity. For two states Pi,p 2 in H, F(p 1 ,p 2 ) = maxu^Uj) |(Y>i|Y>2)| 2 where IV'1,2) S HtgiH' 
are "purifications" of P\^ (i.e., Trjj' IV'1,2) (Ya,2 1 = Pi, 2)) and (•)•) is the inner product. 

• PE,k A ,k B - Eve's view (both quantum and classical data) when the key outputs to Alice and Bob are 
k A , k B . 

• n: security parameter such as the number of qubits communicated in QKD 

• Pq™,i} : the distribution of K A ,K B generated in QKD conditioned on \K A \ = \K B \ = m, 
i.e., (k A , k B ) = Pi(K A = k A , K B = k B \M = m). 

• Pide&v tne distribution over two m-bit strings defined as p[ dc ? al (/, V) = if I 7^ /', £>[ d( ? al (1,1) = 2-™. 

• V: the set of exponentially decaying functions of n 

• a, V, <7i, V\: a and V are generic labels for protocols, with a possibly used as a subroutine. The 
symbol of a protocol with a subscript I denotes the ideal functionality of the protocol. V+a: a 
protocol V calling a subroutine a. 

• £, S: the environment and the simulator. These are sets of registers and operations and they are 
sometimes personified in our discussion. 

• T: output bit of £ 

• e-s.r. : V e-s.r. V\ is a shorthand for V e-securely realizes V\ (see mathematical definition in Eq. (6)). 
e is called the distinguishability- advantage between V and V\. 

• T-p: the associated tree for a protocol V 

• a, a.i\ universal composable authentication with negligible key requirement and its ideal functionality 

• n+a, k+oi, K\: QKD using authentication a, QKD using ideal authentication ctj, and ideal KD 
defined in Sec. 4.2 

• Devil: an adversary that determines the key length m generated by k\ 

• /°qkd : state possessed by £ after interacting with n+a\, see Eq. (7) 

• Pidcai : state possessed by £ after interacting with m, see Eq. (9) 

• /°qii> Pqi2 : hybrid, intermediate, states between /0 qkd and ftdeab see Eqs. (12) and (13) 

• p m : Eve's state when M = m, averaged over K A , K B . See Eq. (8) 

• p m : uniform average of PE,k,k for \k\ = m. See Eq. (14) 

• Ensemble: a distribution {q x } x of quantum states g x denoted by {q x , g x } x 

• ^acc : accessible information of an ensemble {q x , g x } x , i.e., the maximum mutual information between 
X and outcome Y obtained from measuring a specimen g x 

• SD(£o,£?i): Shannon distinguishability of £0 and Qi, defined as I acc of the uniform distribution of 
{£>0,£i}- 
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• T m : the ensemble {2~ m , p E ,k,k}\k\=m 

• x({Qx, Qx})' Holevo information of an ensemble, given by S(^2 X q x g x ) — Y1x1xS{q x ) where S(-) = 
Tr(-log(-)) is the von Neumann entropy 

• Pab : state on which measurements by Alice and Bob output Ka, Kb in QKD-security-proofs based 
on entanglement purification 

• $: a perfect EPR pair ±(|00) + |11»«00| + <11|) 

• Singlet fidelity: F(/9™ B , <3?® m ). Note that "singlet" usually refers to a state that is only unitarily 
equivalent to $, but we borrow the term in this paper. 
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